Asymmetric Currency Rounding
David M’Ra¨?hi1,David Naccache2,and Michael Tunstall3
1Gemplus
3Lagoon Drive,Suite300,Redwood City,CA94065,USA
david.mraihi@https://www.wendangku.net/doc/f710204420.html,
2Gemplus
34rue Guynemer,Issy-les-Moulineaux,F-92447,France
naccache@https://www.wendangku.net/doc/f710204420.html,
3Gemplus,Card Security Group
B.P.100,G′e menos,F-13881,France
tunstall@https://www.wendangku.net/doc/f710204420.html,
Abstract.The euro was introduced on the?rst of January1999as
a common currency in fourteen European nations.EC regulations are
fundamentally di?erent from usual banking practices for they forbid fees
when converting national currencies to euros(fees would otherwise deter
users from adopting the euro);this creates a unique fraud context where
money can be made by taking advantage of the EC’s o?cial rounding
rules.
This paper proposes a public-key-based protection against such attacks.
In our scheme,the parties conducting a transaction can not predict
whether the rounding will cause loss or gain while the expected sta-
tistical di?erence between an amount and its euro-equivalent decreases
exponentially as the number of transactions increases.
1Introduction
Economic and Monetary Union(in short EMU)is a further step in the ongoing process of European integration.EMU will create an area whose economic po-tential will sustain comparison to that of the United States.Given the size of the euro area,the euro is expected to play an important role as an international currency.As a trade invoicing currency,the euro will also extend its role way beyond direct trade relations.
Issues related to euro conversion were therefore precisely addressed[3]within the general framework of the European?nancial market.A speci?c directive stat-ing conversion rules for currencies inside the monetary union was also prepared and issued[1].The main objective of this directive is to provide?nancial institu-tions with a comprehensive set of rules addressing all issues related to currency conversions and currency rounding issues.Although great deal of attention was paid while standardizing the di?erent formulae,the constraint imposed by the requirement of not introducing conversion fees(a political requirement)opens the door to new fraud strategies.
In the following sections we explore fraud scenarii based on the actual round-ing formula and present e?cient counter-measures combining randomness and public-key cryptography.
2Currency Conversion
For centuries,currency conversions were governed by(rounded)a?ne functions:
f(x)=round xρ ?κ
In?nancial terms,κis the banker’s commission(or exchange fee)expressed in the target currency,ρis the conversion rate and the round function is an approximation rule such that for all x:
?= xρ?f(x)
>0
where?represents the agent’s bene?t or margin.
At the beginning of1999,the exchange rates between fourteen European currencies have been set with respect to the euro(cf.to appendix A)but,being an obstacle to the euro’s widespread adoption,exchange fees were forbidden (κ=0)by law.EC regulation1103/97speci?es that the European-wide legally-binding conversion formula is:
f(x)= 100×xρ+12
×
1
100
As a characteristic example,the conversion of1000frf into euros would be done as follows:
x
ρ=1000=152.4490172...→x=152.45
The conversion between two European currencies is somewhat more intricate; the value of the?rst currency is converted to scriptural euros,rounded to three decimal places(i.e.0.1cent)and then converted into the target currency as illustrated in the next example where1000frf are converted into nlg s:
x
ρ=1000
6.55957
=152.4490172...→x=152.449
x×ρ=152.449×2.20371=335.9533857...→x=335.95 We refer the reader to[1]for further(mainly legal)details.
3Rounding attacks
Attacks(characterized by a negative?)are possible when two di?erent amounts in a given currency collide into the same value in euros;this is only possible when the smallest sub-unit of the concerned currency is worth less than one cent;examples are rather common and easy to construct:
x
ρ=1100=5.48678...→x=5.49
y
=5.49176...→y=5.49
ρ=1101
200.482
The smallest Portuguese unit is the centaro(which only exists for scriptural payments);as the smallest circulating currency unit is the escudo,it appears in our example that x=y although x=y.
The attacker can therefore create an escudo ex-nihilo by investing x=1100 and converting them to x=5.49using the o?cial conversion rule;then,using the EC’s formula in the opposite direction,the attacker can convert the x back to escudos and cash1101pte s:
x×ρ=5.49×200.482=1100.65→x =1101
Note that although more decimal places can be used,higher precision nei-ther prevents,nor signi?cantly slows down this potential fraud which becomes particularly relevant when automated attackers(e.g.home-based PCs)enter the game.
4Probabilistic rounding
Correcting the EC’s formula without introducing conversion fees(a public-acceptance constraint)is a challenging problem.The approach chosen in this paper consists of rounding up with a probability p and down with probabil-ity1?p to make the rounding unpredictable before completing the conversion process.
At its most simple this would involve rounding with a1/2probability as illustrated in the following examples:
x=5.49eur
probability1/2
x
ρ=1100=5.48678...
probability1/2
x=5.48eur
and,repeating the process in the opposite direction:
x=1101pte
probability1/2
x×ρ=5.49×200.482=1100.65
probability1/2
x=1100pte
x=1099pte
probability1/2
x×ρ=5.48×200.482=1098.64
probability1/2
x=1098pte
consequently,if numerous transactions are carried out money would be lost as the expected return,E(1100),is smaller than1100:
E(1100)=1101
+
1100
+
1099
+
1098
=1099.5<1100
The opposite problem appears when1000esp(whereρ=166.386)are con-verted back and forth:
x=1002
probability1/4
x=6.02
probability1/4
probability1/2
x=1001
x=1000
x=1000
probability1/2
probability1/4
x=6.01
probability1/4
x=999 where the expected return is:
E(1000)=999
4
+
1000
4
+
1001
4
+
1002
4
=1000.5>1000
It is thus possible to take advantage of probabilistic rounding as p=1/2 only slows the attacker by forcing him to expect less return per transaction,but the system’s overall behavior remains problematic.
To make x and E(x)equal p should depend on the ratio x/ρand compensate statistically the rounded digits.
Denoting by frac(x)=x? x the fractional part of x,let:
p(x,ρ)=frac 100×frac x
ρ
(1)
be the probability of rounding x currencies at rateρ.
For example,for1000pesetas where x/ρ=6.0101210...,truncation yields:
p(1000,166.386)=0.01210...
and:
x=1002
probability0.00778877
x=6.02
probability0.00431123
probability0.0121
x=1001 x=1000
x=1000
probability0.9879
probability0.96794442
x=6.01
probability0.01995558
x=999
This system has an expected return of:
E(1000)=0.00778877×1002+0.00431123×1001
0.96794442×1000+0.01995558×999
=999.99993319~=1000
and presents the following theoretical guarantee:
Lemma1:Let x be an amount in a currency which rate isρand denote by E(x)the fraud expectation after a back and forth(currency→euro→currency) probabilistic conversion of x were p(x,ρ)is determined by formula1.Then:
E(x)=x
p can be taken to a higher degree of accuracy.If the probabilities are imple-mented to the highest possible accuracy degree(i.e.all decimal places,where possible),then the expected result will be as close to the value used in the?rst conversion as possible.Applied to the previous example the fraud expectation is exactly equal to1000+3×10?11esp.Greater security can only be gained by increasing the accuracy of the exchange rates themselves.
5An asymmetric solution
Probabilistic rounding requires an impartial random source S,independent of the interacting parties(A and B)and(as is usual in cryptography)the best way of generating trust consists of giving neither party the opportunity to deviate from the protocol.The solution is somewhat analogous to[2].
This is hard to achieve with probabilistic rounding,as it is impossible to prove whether x/ρwas rounded correctly or not.Therefore,when A or B gains money after a few transactions,it can not be proved if this happened by chance or not.Public-key cryptography can nevertheless serve here,both as S and as a fair rounding proof.
When a transaction is carried out,transaction data are concatenated and signed by A,using a deterministic signature scheme(typically an RSA).The signature is then used as randomness source to generate a number0≤τ≤1to the same amount of decimal places as the probability P.Ifτ≤P then the value at the end of the transaction is rounded up,otherwise it is rounded down.The signature,sent back by A,will convince B that once converted,the amount was rounded fairly:
–A and B negotiate the transaction details t(including the amount to be converted).
–B sends to A a su?ciently long(160-bit)random challenge r1.
–A sends to B a su?ciently long(160-bit)random challenge r2.
–B concatenates m=t||r1||r2and signs m with his deterministic signature scheme.
–B sends the signature to A who checks that m was properly signed.
–τis extracted from the signature and used as explained in the previous section.
The protocol can,of course,be simpli?ed in several ways.For instance,r1 can be replaced by a simple transaction counter(it is assumed that during the account’s lifetime,the transaction counter never takes the same value twice).
6Conclusion
This paper presented a counter-measure that prevents a fraud scenario inherent to EC regulation1103/97.Although current regulations do not present serious problems when applied occasionally in coin and bank-note conversions,the pro-cedure proposed in this paper is de?nitely preferable in large-scale electronic fund transfers where automated attacks could cause signi?cant losses. References
1.Council Regulation(EC)No1103/97of June17-th1997on certain provi-
sions relating to the introduction of the euro.
2.M.Blum,Coin?ipping by telephone:a protocol for solving impossible prob-
lems,24-th IEEE Spring computer conference,IEEE Press,pp.133–137,
1982.
3.DGII/D1(EC),Note II/717/97-EN-Final,The introduction of the euro and
the rounding of currency amounts,1997.
4.R.Rivest,A.Shamir and L.Adleman,A method for obtaining digital sig-
natures and public-key cryptosystems,21-2120-1261978
APPENDIX A
Euro exchange rates
country symbol currencyρ=currency/euro
Austria ats schilling13.7603
Belgium bec franc40.3399
Denmark dkk krona7.43266
Finland fim mark 5.94575
France frf franc 6.55956
Germany dem mark 1.95587
Greece grd drachma326.300
Ireland iep punt0.78786
Italy itl lira1936.27
Luxemburg luf franc40.3399
Netherlands nlg guild 2.20374
Portugal pte escudo200.481
Spain esp peseta166.388
Sweden sek krona8.71925
APPENDIX B
EC Regulation1103/97
Article4.
1.The conversion rates shall be adopted as one euro expressed in terms of each of
the national currencies of the participating Member States.They shall be adopted with six signi?cant?gure.
2.The conversion rates shall not be rounded or truncated when making conversions.
3.The conversion rates shall be used for conversions either way between the euro unit
and the national currency units.Inverse rates derived from the conversion rates shall not be used.
4.Monetary amounts to be converted from one national currency unit into another
shall?rst be converted into a monetary amount expressed in the euro unit,which amount may be rounded to not less than three decimals and shall then be converted into other national currency unit.No alternative method of calculation may be used unless it produces the same results.
Article5.
Monetary amounts to be paid or accounted for when a rounding takes place after a conversion into the euro unit pursuant to Article4shall be rounded up or down to the nearest cent.Monetary amounts to be paid or accounted for which are converted into a national currency unit shall be rounded up or down to the nearest sub-unit or in the absence of a sub-unit to the nearest unit,or according to national law or practice to a multiple or fraction of the sub-unit or unit of the national currency unit.If the application of the conversion rate gives a result which is exactly half-way,the sum shall be rounded up.